The security gaps in Microsoft Exchange servers that became known about a month ago triggered a worldwide wave of attacks and continue to pose a threat to IT infrastructures. We show you how you can best protect yourself against such attacks: With our preventive measures and the use of state-of-the-art technologies, you significantly reduce security risks.
Microsoft Exchange zero-day attack
Numerous Microsoft Exchange servers became the target of a zero-day exploit. Several vulnerabilities led to mass attacks on Microsoft’s e-mail service. The security gaps only became public after Microsoft provided an unscheduled patch. Those who applied this patch immediately were able to close the corresponding gaps. In the meantime, however, the vulnerabilities were exploited for cyber espionage and crime. Since Microsoft exchange is a product with countless users, the damage is particularly huge.
What exactly happened?
Microsoft Exchange is a widely used email delivery application and is used by many organisations of all sizes around the world. Microsoft Exchange can be used as a software-as-a-service via the Microsoft Cloud or alternatively operated as on-premises software. According to Microsoft, only on-premises Exchange servers were affected by the incident.
Microsoft sees a nation-state hacker group operating from China, called HAFNIUM, as the main actor in the attacks. This group presumably initially targeted US companies for espionage. The attackers used the vulnerabilities to gain access to Exchange servers and emails. This allowed them to penetrate further into systems and pick up data.
However, the initial targeted, individual attacks were quickly followed by a mass wave of attacks.
Criminal groups exploited the unpatched systems, for example, to infiltrate malware. In the meantime, most of the gaps have been closed by the updates, but this does not necessarily mean that the threat is over, as the attackers have left traces. Any webshells that have been created (enabling remote access) can still be used as gateways for ransomware attacks. With the help of ransomware, hackers encrypt company data and then demand a ransom to unlock the data.
Due to the high number of potential victims and the highly critical situation, the BSI (Federal Office for Information Security) then declared the highest IT threat level. Many companies in Germany as well as public authorities and companies in the critical infrastructure were and still are affected.
Why is a zero-day exploit that dangerous?
In a zero-day exploit, previously unknown vulnerabilities and programme errors in applications are exploited. Attackers use these vulnerabilities to access data or install malware even before the manufacturer (in this case Microsoft) can programme a patch for the corresponding gap. Only with these patches the errors can be fixed. This time lead until a patch is made available gives criminals the opportunity to cause massive damage.
Zero-day exploits can be detected at the earliest after an initial attack, but can also remain undetected for a long period of time. Simple antivirus programmes are often not sufficient to detect these exploits.
Our services and security measures
This incident shows once again how important it is to take preventive security measures. Therefore: Cybersecurity must be taken seriously and you should be prepared for possible incidents! Because in the worst case, an attack of this kind can compromise entire company networks. This not only disrupts operations, but also is a threat to business-critical company data and thus the entire company.
Therefore, use our services to be protected against cyberattacks in the best possible way. 100% protection, especially with regard to zero-day attacks, is difficult, but appropriate measures significantly reduce risks and failures. Preventive action is the key, because actions in the event of an attack often come too late. We minimise the risks in advance and react very quickly in an emergency.
Our services and recommendations with regard to the Microsoft Exchange incident:
- Managed services for servers: Patch management with regular updates of all applications
- Managed IT Security: Effectively prevent and defend against attacks with security technologies
- On-Premises vs. Cloud: Consider using Microsoft Exchange as SaaS
Fast and reliable patch management for your servers
Patch management is part of our Managed Services for servers. Continuous security updates are necessary to close security gaps and fix program errors.
We assume the entire testing, monitoring and control of patch management. We are aware of all the necessary updates and install them regularly. This ensures that your systems are always secure and up to date.
If an unscheduled update is due, as in the case of Microsoft Exchange, fast action is required: such critical patches have the highest priority and we carry out these updates manually without delay. In this way, we eliminate the sources of errors as quickly as possible to ensure the security of our customers’ systems.
As a matter of principle, your servers are regularly maintained and checked as part of our managed services. We uncover possible vulnerabilities and proactively eliminate errors.
Managed IT Security with Firewall & Endpoint Protection
Another important pillar to be sufficiently protected against cyberattacks is a coordinated security concept. We rely on the advanced security solutions from Sophos, which are used by our customers and have clearly proven their worth.
- Advanced tools and intelligent technologies
- Proactive monitoring and rapid response to threats
- Real-time security analysis with Security Heartbeat
Sophos offers a cybersecurity system in which the individual components are intelligently networked and work together in a coordinated manner – IT security at the highest level. Sophos products actively exchange information in real time and react automatically to incidents. This coordinated interaction enables comprehensive protection.
In the event of unauthorised access from outside, as happened for example by the HAFNIUM group, the firewall and endpoint protection in particular come into play.
Endpoint Protection includes special technologies to protect against ransomware, malware, exploits and viruses. It offers unique protection that effectively blocks attacks.
In addition, the firewall monitors network traffic and protects against unauthorised access. Thanks to the Unified Threat Management approach, the Sophos product goes far beyond the protection of a simple firewall. The firewall is also able to detect hidden risks and ward off unknown threats. This is where a monitoring and surveillance system (Intrusion Detection System (IDS)) and a control mechanism (Intrusion Prevention System (IPS)) integrated into the firewall come into play. These systems monitor all data movements and accesses and compare them with a database of known threats. If irregularities occur, alerts are issued and appropriate countermeasures are initiated. This behaviour-based approach proves to be particularly effective in the case of zero-day exploits, because unknown attack patterns are thus recognised more quickly.
The special feature of this IT security system: endpoints and firewall exchange information in real time via the so-called security heartbeat. This creates a central point for effective and coordinated detection, defence and reaction to threats. Thanks to this Synchronized Security, your systems are also protected against complex threat scenarios.
Cloud instead of on-premises?
If you are running your Exchange Server on-premises, you should reconsider whether this is the best and most secure option for you. Consider using Microsoft Exchange as SaaS alternatively. We recommend moving to Microsoft Exchange Online if possible. However, every company is unique and has different requirements, so it must always be assessed on a case-by-case basis. We would be happy to advise you individually on your specific situation. If the change to server operation in the Microsoft Cloud is an option for you, we will be happy to take care of the complete data migration.
You have further questions on this topic? We look forward to hearing from you!
We are the right partner for the security of your IT infrastructure.